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CLAIMS 



Having thus described our invention, what we claim as new and desire 
to secure by Letters Patent is as follows: 



1 y. A method for communication between two entities in a set of clients across 

2 a Vetwork such that their identities are concealed from each other and no third 

3 parw is able to trace the communication comprising the steps of: 

4 \providing a set of Forwarding Agents (FAs), there being n FAs and 

5 several groups of these n agents, each of which consists of k members, where 

6 k (0 < k < /ms a fixed number considered sufficient to provide anonymity in 

7 the system and^each FA belongs to at least one group; 

8 providingseach of the FAs with its own pair of public and private keys 

9 for encryption and decryption, respectively, where the underlying 

10 cryptosystem scheme rs a commutative public key cryptosystem, each FA also 

1 1 having appropriate keys rfeauired to perform secure digital signatures on 

12 documents and to verify the signatures of other FAs; 

1 3 registering each client wi^i a Forwarding Agent S, the client once 

\ 

14 having selected a Forwarding Agefi^S, also picking one of the groups that the 

1 5 Forwarding Agent S belongs to, thus fleeting k agents, to be associated with 

16 the client, the step of registering including, assigning a pseudonym X to the 

17 client and providing the Forwarding Agent V with an encrypted form of the 

1 8 client's network address, rendering it unreadable to any individual FA; 

1 9 maintaining by each FA a table with threexields, a pseudonym, a 

20 corresponding encrypted network address and the FAsgroup to be used for 

21 forwarding; \ 

22 delivering a message meant for a pseudonym X to Forwarding Agent 

23 (FA) S where X is registered using a protocol that protects thevanonymity of 
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the sender; 

passing the message through a random sequence of F As in the group to 
Forwarding Agent S belongs; and 

finding by the last FA in the sequence a visible network address and 
sending th£ message on to this address. 

2. The methodSfor communication recited in claim 1, wherein the step of 
registering comprises the steps of: 

successivelyvencrypting by the client the client's network address with 
the public keys of theV selected agents to obtain an encrypted address, 
referred to as the "onioirvaddress" of the client; 

sending by the clieiit to the Forwarding Agent (FA) S a Registration 
Message which contains the client's onion address and a chosen pseudonym 
X, and also identifies the group\pf k agents selected by the client; and 

adding by the ForwardingN^gent the information contained in the 
Registration Message to its table. 



1 3. The method for communication recite<d in claim 2, wherein the Registration 

2 Message is sent using a protocol which protects the anonymity of the sender. 

1 4. The method for communication recited in claim 3, wherein the protocol 

2 used comprises the Forwarding Agent (FA) S having a publicized pseudonym 

3 and the client sending a message to that pseudonyr 



4 5. The method for communication recited in claim 1, wherein once the 

5 Forwarding Agent (FA) S obtains a message intended for X^ the Forwarding 

6 Agent S performs the steps of: 

7 looking up X in its internal table and retrieving an encrypted version of 
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the address of X, referred to as the "onion address" of X, as well as the group 

V FAs to be used for forwarding; 

\ 

creating the list of the FAs that the message will pass through, which 
list iikludes all FAs other than S who will have to "peel the onion" before the 
address of the intended recipient is revealed, the list containing all the 
members of the appropriate group except the Forwarding Agent S itself; and 
affixing the list to the head of the message. 



6. The method of communication recited in claim 5, further comprising the 
step of encrypting thevmessage before forwarding it to FAs in the sequence. 



7. The method of communication recited in claim 6, wherein the step of 
encrypting comprises the stej^s of: 

splitting the message inro blocks of a fixed size; 

prefixing each block with\fixed number of random bits, producing 
blocks of a larger size; and 

encrypting each block of a largW size with the public key or shared 
symmetric key of the intended recipient. 

8. The method of communication recited in chaim 6, wherein each FA which 

receives the message performs some verifications to ensure protocol 

\ 

consistency by other FAs. \ 

9. The method of communication recited in claim 8, ^herein the verifications 
comprise the steps of: 

checking by an agent whether it is the first agent tdsbe visited in the 
current domain and, if so, selecting at random a tag N whiclrhas not been 
recently used and affixing the tag to the message header beforeWssing the 
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6 \ message on; 

7 \ otherwise, finding out the name S of the first agent to receive this 

8 message in the current domain; 

9 \ verifying a signature of S on a first part of the signed sequence in the 

10 message header and, if this verification succeeds, then verifying that every 

1 1 successive segment of the signed sequence bears the valid signature of the 

12 agent nameV in the preceding segment; 

1 3 verifying that the last segment of the signed sequence contains the 

14 name of the agent performing the verification, while the penultimate segment 

1 5 contains the name 6f the agent from which the message was received; 

16 verifying thatihe list of unvisited agents does not contain any agents 

1 7 named in the signed sequence; and 

1 8 if any of the verifications fail, aborting the current message. 

1 10. The method of communication recited in claim 8, wherein the verifications 

2 comprise the steps of: \ 

3 computing the agent's own sequence number / in the path followed by 

4 this message through the set of forwarding agents by subtracting the number 

5 of F As in the list of unvisited F As from \+ 1 ; 

6 checking if / is 1 and, if /is 1, then sending a coordinating agent (CA) 

7 0 a request for a tag and receiving the tag N ak well as the number k - 1 , 

8 combined with N and signed before passing theViessage on; 

9 if the number / is found to be different from 1 , then verifying the 

1 0 signature of CA (/ - 2) mod r on the signed number m the message header and, 

1 1 if verification succeeds, then verifying if the signed number is k + 1 - / and, if 

12 the verification succeeds, sending the numbers k + 1 - i and N and the name 

13 of the previous FA to C A (/ - 1 ) mod r; \ 

14 receiving a signed number and a signal from CA (/ - l\mod r and 
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15 \ verifying if the signal is "OK" and, if so, verification is complete and the 

16 \ message is passed on; but 

17 \ if any of the verifications fail, concluding that the protocol has not 

1 8 beer^executed correctly and aborting the current message. 

1 11. The method of communication recited in claim 10, wherein the CA, upon 

2 receiving aVequest from some FA, referred to as P, for a tag, performs the 

3 steps of: \ 

4 selecting^ tag N and sending it to P; 

5 combining\he tag N with a number k -j 9 signing the result and sending 

6 the signed number toV along with an "OK" signal; 

7 waiting for a message about the tag N, and upon receiving such a 

8 message, verifying if it catae from the next CA referred to as D, and if the 

9 message did not come from D, announcing a protocol violation in receiving 

10 tagN; \ 

1 1 otherwise, verifying the message involves the number k - 1, and if this 

12 verification fails, sending an "Abort" message to D; but 

13 if the verification passes, senoing to D an "OK" signal and the identity 

14 ofP. \ 

1 12. The method of communication recited in\claim 1 0, wherein any CA other 

2 than CA 0, upon receiving a message from some FA referred to as P, performs 

3 the steps of:. \ 

4 finding a number j 9 a tag N, and the identity\pf P, the previous FA, in 

5 the message; \ 

6 sending a message to the previous CA asking fok the name of the 

7 corresponding FA, for tag N, and number j +1 ; \ 

8 receiving a signal and a table from the previous CA, and verifying that 

Y0999-364 \ 



\ 



9 the signal is "OK" and the name is P, and if such verification fails, sending an 

10 "A1x>rt" signal to P; 

1 1 \ otherwise, verifying that the most recent request, if any, involving the 

12 tag N inWved the number j +1 , verifying that it is the (k -y) th CA, and if 

13 either of these verifications fails, sending an "Abort" signal to P; 

14 but mthe verifications pass, combining j - 1 with N, signing the result 

1 5 and sending the signed number to P along with an "OK" signal; 

16 waiting for a message about the tag N, and upon receiving such a 

17 message, verifying if it came from the next C A referred to as D, and if the 

1 8 message did not come from D, announcing a protocol violation in writing tag 

19 N; \ 

20 otherwise, verifying the message involves the number j - 1 , and if this 

21 verification fails, sending\o D an "OK" signal and the identity of P. 

1 13. The method of communication recited in claim 5, wherein a next FA is 

2 chosen comprising the steps of\ 

3 checking by an agent if thWe are any more agents to be visited in the 

4 present domain and, if not, then marking the present domain as visited and 

5 removing the signed sequence from me message header; 

6 choosing an unvisited domain at random and making it the present 

7 domain; \ 

8 choosing an agent belonging to theVurrent domain at random from the 

9 list of unvisited agents and, following this, passing the message on to the 

10 chosen agent; \ 

1 1 if, instead, the agent finds that not all thkagents in the domain have 

12 been visited, then choosing at random an unvisitedagent belonging to the 

13 current domain; \ 

14 combining the random number N with the nam\ of the chosen agent 
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1 5 N^nd signing the resulting plaintext; and 

16 adding the plaintext and signature to the signed sequence, following 

1 7 which tnfcsmessage is forwarded to the chosen agent. 

1 14. The method of^qommunication recited in claim 5, wherein a next FA is 

2 chosen comprising thcrsteps of: 

3 choosing by a current&rwarding agent an FA at random from the list 

4 of unvisited F As in the message nfe^der; 

5 removing its own name from tnfevhst; 

6 adding the signed number that it receded from an appropriate 

7 coordinating agent (CA) to the message header; ahd 

8 forwarding the message to the next chosen agenh^ 
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